Analysis
-
max time kernel
119s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
19-01-2022 10:32
Static task
static1
Behavioral task
behavioral1
Sample
6b8579744d4f9a2200a1e090181e4d6e.exe
Resource
win7-en-20211208
General
-
Target
6b8579744d4f9a2200a1e090181e4d6e.exe
-
Size
409KB
-
MD5
6b8579744d4f9a2200a1e090181e4d6e
-
SHA1
130a983fc16bdcb13b4a119a30e0162304f540f0
-
SHA256
558e3327ff438b57d187561ff840813f5087392a0bcbd26c918645d9dde26f19
-
SHA512
aa8078e1ff3a13f317acb9766ccb1ce03f7285f78431988710691cb2c3a590adbd0f97a8ccb88f77c180c8f31585aef118d0a60d6e247dbf02cb38e4bbad8e8e
Malware Config
Extracted
redline
Testing
185.215.113.10:39759
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/1688-57-0x0000000002010000-0x0000000002044000-memory.dmp family_redline behavioral1/memory/1688-58-0x00000000021A0000-0x00000000021D2000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1688 6b8579744d4f9a2200a1e090181e4d6e.exe